Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Security readout for executives and security teams
Plain-English summary
Netty, a widely used Java networking framework, has a flaw that lets attackers confuse how web requests are interpreted between systems. Because Netty and downstream proxies can disagree on where one request ends and another begins, attackers may sneak hidden requests through, potentially bypassing security controls or reaching internal endpoints. Upgrading to a patched Netty version resolves the issue.
Executive priority
Treat as a near-term patching priority for internet-facing Java services and API gateways. Business impact is elevated because request smuggling can undermine authentication, WAF rules, and audit trails, but no active exploitation is reported. Schedule remediation within your standard high-severity SLA and prioritize systems that terminate HTTP behind or in front of proxies.
Technical view
In Netty HttpObjectDecoder before 4.2.13.Final and 4.1.133.Final, the sanitization that strips a conflicting Content-Length when Transfer-Encoding: chunked is present only fires for HTTP/1.1. HTTP/1.0 requests bypass this guard, so Netty decodes the body as chunked while the HttpMessage still carries the original Content-Length. Downstream proxies or handlers that prefer Content-Length desynchronize on message boundaries, enabling HTTP request smuggling (CWE-444).
Likely exposure
Any Java service, gateway, or middleware using vulnerable Netty (4.2.0.Alpha1 through 4.2.12, or 4.1.x before 4.1.133.Final) to terminate HTTP is potentially exposed, especially when fronted by or fronting another HTTP intermediary. Red Hat has shipped errata affecting multiple JBoss/Middleware and OpenShift components, indicating broad downstream reach.
Exploitation context
No public reports of active exploitation and not listed in CISA KEV as of the source bundle. The GitHub Security Advisory (GHSA-xxqh-mfjm-7mv9) and Red Hat advisories describe the smuggling primitive but do not cite in-the-wild abuse. CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting network-reachable, unauthenticated preconditions with scope change.
Researcher notes
Root cause is a version-gated sanitization branch in HttpObjectDecoder that only strips conflicting Content-Length for HTTP/1.1. HTTP/1.0 flows retain both CL and TE in the emitted HttpMessage, producing classic TE.CL or CL.TE desync depending on the peer. Interesting angle: many modern intermediaries silently upgrade or downgrade to HTTP/1.0 for legacy compatibility, expanding attack surface. Review shaded/relocated Netty JARs, since SCA often misses them. CVSS scope change reflects downstream impact on the fronting proxy.
Mitigation direction
Upgrade Netty to 4.2.13.Final or 4.1.133.Final (or later) across all services and shaded dependencies.
Apply the relevant Red Hat RHSA errata (e.g., RHSA-2026:28010, 25123, 36820, 37390, 23808, 24502) to affected products.
Inventory transitive Netty usage via SBOM and dependency scanners; rebuild containers and redeploy.
Where patching is delayed, restrict or reject HTTP/1.0 requests carrying both Content-Length and Transfer-Encoding at the edge.
Confirm upstream proxies normalize or reject ambiguous framing headers per RFC 9112.
Monitor vendor guidance for embedded appliances and SaaS platforms that ship Netty.
Validation and detection
Enumerate Netty versions across build artifacts, containers, and runtime classpaths using SBOM/SCA tooling.
Verify fixed versions (4.2.13.Final / 4.1.133.Final) are loaded at runtime, not just declared in manifests.
Review edge and internal proxies for HTTP/1.0 handling and header precedence between CL and TE.
Test in a controlled lab: send benign HTTP/1.0 requests with both headers and confirm consistent framing decisions.
Check Red Hat CSAF VEX data and RHBZ#2477232 for product-specific applicability.
Track vendor advisories for downstream frameworks (Spring, Vert.x, gRPC-Java, Elasticsearch clients) that embed Netty.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-444: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-444 · source CWE mapping
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.